The present invention relates generally to network communications. More specifically, the present invention is a method and apparatus for using digital signatures to filter packets in a network.
Internet protocol (IP) Multicasting is a form of network communication in which a single message is sent to multiple destinations at once. A multicast group owner sets up a multicast group address. Senders and receivers may join the group by accessing the group address.
One problem with IP multicast is that it allows unauthorized senders to transmit to the multicast group, requiring the end host system to keep state and to process packets which are not authorized to be sent to the group. The packets are transmitted by the unauthorized sender and forwarded by routers to the end host. Routers are systems which can be used to forward packets between networks.
One solution to this problem is for the group owner to encrypt the session and require authorized members to obtain a group key in order to decrypt the data. However, this mechanism does not prevent denial of service attacks where unauthorized senders from a network on one side of a router or a firewall transmit numerous IP messages to an end host in a network on the other side of the router or firewall. The router or firewall passes the packets from the network where the sender is located to the network where the end host is located, without processing the packets. The end host receives and processes each packet to determine whether the sender may join the encrypted session. If the sender is not authorized to join the session, the end host denies service to that sender. A malicious user, in what is called a denial of service attack, may send numerous unauthorized messages to an end host system on the other side of a router or a firewall. Even though the malicious user is not authorized to access the system, it can cause a network bottleneck because the end host at the other side of the router or firewall must process all of the incoming messages to determine whether the sender may join the encrypted session, thereby using up network bandwidth and resources.
Consistent with the present invention, a method and apparatus for using digital signatures filters packets in a network in order to avoid wasting router bandwidth and resources on processing packets associated with unauthorized senders.
An embodiment consistent with the present invention includes a method and apparatus for filtering packets, performed by a data processing system, which comprises the steps of receiving a packet including a header; detecting the existence of a signature in the header, and forwarding the packet in accordance with the validity of the signature. The data processing system that performs these steps may be, for example, a router or a firewall. An embodiment consistent with the present invention may be implemented as a computer program product or as a computer data signal embodied in a carrier wave. An embodiment consistent with the present invention also includes a method and apparatus for sending packets, performed by a data processing system, which comprises the steps of storing a private key in a memory of the data processor, generating a signature using the private key, installing the signature into a header of a packet, and sending the packet. An embodiment consistent with the present invention may be implemented as a computer program product or as a computer data signal embodied in a carrier wave.
An owner disseminates private keys to the senders. When there are numerous keys, the keys may be stored in indexed tables. A sender signs the packet using the one of the private keys. A router or a firewall then determines the validity of the signature by checking the signature using the public key. If the signature is valid, the router or firewall forwards the packet. Packets having an invalid signature are discarded.
The method for signing the packet may include creating a fingerprint corresponding to the data and encrypting the fingerprint using a private key to yield a signature. The method for checking the signature may include decrypting the fingerprint using a public key and comparing the decrypted fingerprint to a newly created fingerprint of the data.
An embodiment consistent with the present invention also includes a method for filtering packets, performed by a data processing system, which comprises the steps of receiving a plurality of packets, each of which includes a header, determining a number of packets received from a particular source, detecting the existence of a signature in the header, and forwarding the packet in accordance with the validity of the signature and with whether a router limit has been exceeded. The router limit may be associated with a number of packets per predetermined set of senders in order to limit the size of the group of authorized senders. The router limit also may be associated with a predetermined period of time to limit the rate at which senders transmit packets to the router.
Advantages of the invention will be set forth, in part, in the description that follows and in part, will be understood by those skilled in the art from the description or may be learned by practice of the invention. The advantages of the invention will be realized and attained by means of the elements and combinations particularly pointed out in the appended claims and equivalents.